- Security News
- Ransomware Spotlight
- Ransomware Spotlight: BlackCat
This section cites Trend Micro™ Smart Protection Network™ (SPN) data on BlackCat’s attempts to compromise organizations. Note that these detections pertain only to Trend Micro customers and consist of only a fraction of the victims found in BlackCat’s leak site. Our detections show that organizations in the US received the greatest number of BlackCat ransomware attacks, comprising 39.3% of the total. Australia ranks far second, while the rest are dispersed across Europe and Asia-Pacific.
Figure 1. 10 countries with the highest number of attack attempts in terms of infected machines for the BlackCat ransomware (November 1, 2021 to September 30, 2022)
Source: Trend Micro™ Smart Protection Network™ ™
The highest number of detections came from the manufacturing industry, with 176, or a quarter of the total.
Figure 2. 10 industries with the highest number of attack attempts in terms of infected machines for the BlackCat ransomware (November 1, 2021 to September 30, 2022)
Source: Trend Micro™ Smart Protection Network™
This section provides information on the attacks recorded on the BlackCat group’s leak site which represents successfully compromised organizations that have declined to pay ransom as of this writing. Trend Micro’s open-source intelligence (OSINT) research and its investigation of the site show that from December 1, 2021 to September 30, 2022, the group compromised a total of 173 organizations.
Figure 3. The distribution by region of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Sources: BlackCat’s leak site and Trend Micro’s OSINT research
Trend Micro’s product feedback on the top affected countries (shown on Figure 1) was consistent with data found in BlackCat’s leak site, which revealed that the group favored enterprises based in the US, with a victim count of 81 or 58.7% of the total. Also, organizations based in Europe and Asia- Pacific were among the most targeted by the group.
Figure 4. The distribution by country of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Sources: BlackCat’s leak site and Trend Micro’s OSINT research
BlackCat’s leak site data suggests that in terms of industry, finance and professional services were the most hit, followed by legal services. Technology, energy and utilities, construction, materials, and manufacturing were also largely affected.
Figure 5. The distribution by industry of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Source: Sources: BlackCat’s leak site and Trend Micro’s OSINT research
Small-size businesses make up 52% of BlackCat’s victims, followed by midsize businesses at 26%. Combined, they constitute more than three quarters of the gang’s preferred targets. This trend is expected to persist in the months to come.
Figure 6. The distribution by organization size of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Source: Sources: BlackCat’s leak site and Trend Micro’s OSINT research
BlackCat avoids the following directories:
It avoids encrypting the following files with strings in their file name:
It also prevents the encryption of files with the following extensions:
BlackCat terminates the following processes and services:
Processes:
Services:
Initial Access | Execution | Defense Evasion | Credential Access | Discovery | Lateral Movement | Exfiltration | Impact |
---|---|---|---|---|---|---|---|
T1078 - Valid Accounts T1190 - Exploit Public-Facing Application | T1059 - Command and Scripting Interpreter | T1562.001 - Impair Defenses: Disable or Modify Tools T1562.009 - Impair Defenses: Safe Mode Boot T1070.001 - Indicator Removal on Host: Clear Windows Event Logs | T1003.001 - OS Credential Dumping: LSASS Memory | T1087 - Account Discovery T1083 - File and Directory Discovery T1057 - Process Discovery T1135 - Network Share Discovery T1016 - System Network Configuration Discovery T1069 - Permission Groups Discovery T1018 - Remote System Discovery | T1021.002 - Remote Services: SMB/Windows Admin Shares | T1048 - Exfiltration Over Alternative Protocol T1567 - Exfiltration Over Web Service | T1489 - Service stop T1490 - Inhibit System Recovery T1486 - Data Encrypted for Impact T1491.001 - Defacement: Internal Defacement |
Security teams should watch out for the presence of the following malware tools and exploits that are typically used in BlackCat attacks:
Initial Access | Defense Evasion | Discovery | Credential Access | Lateral Movement | Exfiltration | Impact |
---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
All indications of BlackCat’s malicious activities suggest that the ransomware group has predisposed itself to more aggressive attacks. Its penchant for unconventional methods, the sophistication of its techniques, and a growing affiliate base show that its operations are robust and will remain so in the future. This should give organizations more reasons to ensure that they are well informed and that they have security measures in place to ward off ransomware threats.
To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically to establish a strong defense strategy against ransomware.
Here are some best practices that organizations can consider:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
The indicators of compromise (IOCs) for the threat discussed in this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.